Two certs in one week? Doable!

In this post, I will try to review, compare, and contrast two cybersecurity certificates I had the pleasure of passing in the same week: Certified Ethical Hacker v12 and BTL1 from Security Blue Team, which one I would pick if it hadn’t been paid for by my employer, and general tips on how to succeed.

The Why

Firstly, I want to explain why I did the exams for these two certificates in the first place. Usually, when people apply for a certification, it’s because they want a specific certification and learn new things that push them further in their field. In my case, however, it seems more like an exercise in catching up. I already felt comfortable with the skills taught by both companies and for me, personally, it was a rubber stamp I could get for free and better represent myself as well as my employer.

If you looked up both of these certifications, you may think they couldn’t be further apart. They are both security-focused, but one is an ethical hacking cert, while the other literally has “Blue Team” in the name, making these two polar opposites. Firstly, I work in a SOC now, so BTL1 will be useful for my daily activities and proves that I have some basic-as-hell skills from an incident response point of view. The CEH, on the other hand, was necessary for a public tender the company is engaged in, and when asked if I wanted to give that certificate a shot, I immediately said yes, because it’s a cert, but also because it will keep that little door open for any future red-team certifications I may want to take on.

The What

Now that you know my motivation, let me speak a bit about each certificate in turn, so we are on the same page and so there are no misconceptions about what I actually passed.

The CEHv12

The CEHv12 certificate is an “industry standard” pentesting certification. Any book on the matter you may find makes a great bludgeon to kill small-to-medium-sized rodents, and it covers around 20 different areas of penetration testing. As for the exam, it is a 4-hour test that is proctored the whole way through with microphone and camera enabled, discouraging cheating. I have no wish of cheating, but if I did, I would find it quite challenging to do so. It is an industry-standard exam, which you can understand as “many public tenders will require this exam.” The 12th iteration of this certificate also includes an extra lab portion, which you can pass separately; this is a 6-hour exam with 20 questions, one which I have yet to pass (and will write a post on once I do). The price for the certificate and learning material access is $1200, which is a bit steep in my mind, but I can see the value if you’re just starting out. The learning material is there.

The BTL1

The BTL1 certification is not an industry standard, but I can see how it easily could. Blue-team certifications are few and far between, save for some quick courses you can bang out in an afternoon and get a badge for. Personally, until I heard about this certificate from my boss, I had no idea this existed. However, I am glad I learned about it, because this little cert is packed to the gills with information. There are multiple sections, each devoted to a separate section of what you would do in an incident triage scenario. SIEM, digital forensics, memory analysis, incident response, as well as phishing investigations are all included, each with several labs. At GBP500, this certificate is great value for money and comes with 100 hours of lab time. This may seem like a lot, but… yeah, it is. At the time of my exam, I passed all the labs and only spent about 13 hours of lab time.

The exams

Up until now, you may be under the impression that these two certifications are similar. Both contain information and both cost money. This is where the similarities end. Place your bets now, which one is more of a real-life simulation? Surely, the more expensive certification will be the better one, right? Right? No one would spend ungodly amounts of money for a written test with no practical exercises, right? (Foreshadowing done)

CEHv12: A Bloody Cheap Drive

The CEHv12 exam, for the amount of money it costs, is absolutely abysmal in format. In the 4 hours, you need to answer 125 multiple-choice questions. That’s it.

No, I’m not kidding, it’s only theoretical questions! This kind of thing actively encourages braindumping (it’s closed book, you can’t take notes with you into the exam) and the questions range from trivial to outright deranged and unpractical. On one hand, you need to remember that HIPAA is “the law about health,” but then it throws a memory curveball and asks you which command will do a certain nmap scan (listing only the flags). That’s what a --help is for, isn’t it? I know it may not be the fastest way, but there is no way you can learn all the flags by heart without using them. Did I mention the exam contains exactly zero practical exercises? You either know the answer because you read about it and learned it by rote, or you fail the exam. In my mind, this is not a good way to learn pentesting. You learn by doing, whether it’s CTFs, labs you create at home or find online, or watching someone else perform an actual pentest, not by reading textbooks on the matter. In pentesting, I cannot see someone learning everything from a book and then stepping up to a keyboard for the first time and doing as well as someone who spent a couple months doing CTFs.

I can see why the exam gives you 4 hours to answer everything, but the answer is not “because it’s frigging difficult.” It’s because each question is its own paragraph. It’s because each question is tediously long. It’s almost never similar to “What flag runs an nmap scan without a ping scan?” You will get the entire characters backstory (in third person, I might add), so each question has an Alice or a Bob doing some shady and cool stuff with a network, you will learn what they had for lunch and how their morning shit went before you get to the answer. It’s all reading comprehension. I am not a quick reader, but I went through all the questions in about one hour, went back, doublechecked all my answers and was done just around the two-hour mark.

To reiterate, it is a difficult exam, but not because you have do perform some insane tricks or know some cool way to hack a system, you have to learn how to theoretically hack the system, and answer how someone else does it.

BTL1: Short, sweet, immersive

Where CEH sucks balls like it was Kirby in a boba tea shop, the BTL1 really shows what a good exam should be like. The exam environment is the same virtual lab as with every other practice lab (so you are used to the environment), and it shows you 20 questions. I assume there is a larger bank of questions, but none of the questions I saw were theoretical. Some were partially about theory, e.g. “What technique is this using as per MITRE?” but none were something I would only have to read up on. In the beginning, they set up a scene for you (You are tasked with IR in XYZ company, user A informed IT about a problem which led to a full compromise of the network. They did initial triage, and it’s up to you to find out what actually happened.)

The exam is unproctored, so you can swear all you like and look stuff up to your heart’s content. You have 24 hours to answer all questions using various tools that are usually found in a blue-teamer’s toolkit. The workstation you are brought to is your analysis workstation, you have access to the company SIEM, all manner of dumps you can take in a company, and your task is to make sense of the data. I cannot describe more in detail because of an NDA, but it felt like a great exercise where you can play the DFIR superhero we all dream of being one day, coming in and saving the day. Remediation will not be your goal, but from the questions I answered, I think containment and remediation can start immediately afterwards. If you played Cringlecon by SANS, you may get an idea of what I’m talking about with the story. It’s not as fantastic like saving the North Pole, but it’s realistic and to the point.

I really need to reiterate the point of this being more practical; none of the questions are pure theory and if you cannot get an answer in one place, there is a chance some other resource might yield it. SBT does a great job of pointing you to the answers (Look inside X for this) and they even include a chain of custody (of sorts) of what the triage team did and how you can get at the information as quickly as possible. The exam time may seem like a lot to take in, but I personally managed to bang it out in about 4 hours, checking all my answers along the way. I passed with 90%, so I am expecting a gold challenge coin any month now.


If it wasn’t obvious from my previous several paragraphs, if I had to pick an exam to pass when starting out in security, it’s BTL1 all the way. The length of the exam may feel like a lot at once (24 hours always sounds like a crunch), but if you passed the labs, read through the material and grasped the concepts, not just the walkthroughs, you’ll get it done in an afternoon. Compare this with the CEH theoretical exam, which costs more than double the price and only includes theory, and you can see why I’m not a fan of it.

However, I must grant the CEH one point, and that is the awareness. Some attacks described were new to me, at least in name, and now I can see some more potential ways into an attack cycle. Do I know how to actually perform these attacks during a live engagement? No, but that’s not what the CEH should be seen as. If I had to pick a job role where this certificate is incredibly useful, it would be a project lead or a sales guy. This certificate gives them enough information to stay up to speed when their colleagues are discussing some attacks, but not enough to actually be useful as a team member. The second facet of awareness is that many public companies rely on this cert as a litmus test. Many government entities use this as the bar to pass into their good graces, and as I’m writing this, I can see why government security is usually so shit.

The BTL1 gives you a working SOC workstation and lets you play around in it. You can fuck up, but there’s a reset button if you ever decide to delete all the task folders, which is good, but I doubt anyone would do that sort of thing. It does not prepare you that well for working with malware samples, but that is not its scope and you should know not to open an infected file on your own workstation.

My view on CEH, post-exam

I always looked down upon people who only have a CEH, and I still sort of do, but I have now understood the reason many people may have it. It may be by choice, but I hope and believe it’s more because of the push towards this certification. I did not want to pass this exam. If I could choose, I would pick literally anything else. OSCP, RTCO, anything. I was made to pass this exam, and I see how many other people may be pushed this way, too. It’s indispensable if you want to do government work, and it opens the door. If I ever find myself in an interview with someone who has a CEH, I will not laugh at them, but I will inquire more about what else they did to further the attacker skillset. If someone has a CEH and no other interest in pentesting (never did a CTF, doesn’t practice), then the cert may as well not be there. However I think that CEH opens many doors to people in its lack of practical experience, where people will try it, pass it, and then say “Hang on, let me see if I can pass this CTF with this cert!” That is someone I can understand.

In closing

If you have a limited budget and want to get into your first security job, BTL1 is the certificate for you. It’s great fun, you get to play with different tools without having to install them and manage them yourself, they contain tons of interesting findings/logs/samples you can fuck around with, and if you pass, you get a nice shiny coin to prove your proficiency. It’s also narrated by the man, the myth, the legend, John Hammond (if you don’t know him, he’s a great security YouTuber and I hope you check him out.)

If you have been in security for a while, maybe dabbled in pentesting in your spare time, or even if you’re someone who wants to get those sweet, sweet government contracts, then you can’t go wrong with CEH, but for the love of GOD please supplement the cert with some practice. The CEH is good for the talk, but unless you can actually hack something, it’s useless and you will get found out eventually. If you’re just starting out, read the material thoroughly and understand the concepts through play and practice. If you’re more seasoned and understand the topics, read up on what you don’t know, maybe do a couple of practice exams to see where you’re lacking, read up on that and go for it. It’s not difficult, it’s just a lot of wordplay.

I will be honest, I spent about a month preparing for the BTL1 exam (reading the material, running through labs, all the good stuff) and I passed with 90%. The CEH? I took one evening memorizing the entirety of US-centric stuff, reading up on the cloud, and I passed easily. If a dummy like me can pass these certs, you can, too! Whichever you choose and whichever way you decide to take, I wish you the best of luck, may the clock run slowly for you, and may the questions you get be ever in your favour.